mixed additions

ci/README.md

@@ -1,5 +1,35 @@
 # CI notes
 
+### FreeBSD
+```
+
+# attach shared to the jail eg to /media
+
+pkg install -y gh
+git clone https://github.com/openoms/joininbox
+cd joininbox
+gh run download
+
+shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.gz.sha256
+gzip -dkv joininbox-amd64-debian-11.5.qcow2.gz
+shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.sha256
+
+pkg install qemu
+
+qemu-image convert joininbox-amd64-debian-11.5.qcow2 /media/joininbox.img
+
+# In the FreeBSD root
+# create a zvol with the exact size of the raw image
+
+dd if=/mnt/cryptic/blitz/images/joininbox.img of=/dev/zvol/cryptic/blitz/jb221210 bs=4M status=progress
+```
+
+## Manage the artifacts and workflows with the GitHub CLI
+* https://github.com/cli/cli#installation
+
+## Download artifacts in CLI
+* https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts
+
 ## Delete workflow runs
 ```
 OWNER=
@@ -13,9 +43,15 @@ WORKFLOW_ID=
 # list runs
 gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10
 
+# delete failed runs
+gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="failure") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{}
+
+# delete cancelled runs
+gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="cancelled") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{}
+
 # delete oldest 10 workflows (won't delete the running one)
 gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{}
 
-
 # delete newest 10 workflows (won't delete the running one)
 gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | head -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{}
+```

joinmarket/systemd/jmdir_mainnet.service

@@ -6,9 +6,10 @@ After=network-online.target
 
 [Service]
 Type=simple
-ExecStart=/bin/bash -c 'cd /home/jmdir/joinmarket-clientserver && \
+ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver && source jmvenv/bin/activate \
- source jmvenv/bin/activate && cd scripts && python start-dn.py'
+&& cd scripts && python start-dn.py --datadir=/home/joinmarket/.joinmarket-mainnet mainnet-directory-node'
-User=jmdir
+User=joinmarket
+Restart=always
 
 [Install]
 WantedBy=multi-user.target

joinmarket/systemd/jmdir_signet.service

@@ -6,9 +6,11 @@ After=network-online.target
 
 [Service]
 Type=simple
-ExecStart=/bin/bash -c 'cd /home/jmdir/joinmarket-clientserver && \
+ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver \
- source jmvenv/bin/activate && cd scripts && python start-dn.py --datadir=/home/jmdir/.joinmarket-signet'
+&& source jmvenv/bin/activate && cd scripts &&  \
-User=jmdir
+python start-dn.py --datadir=/home/${user}/.joinmarket-signet signet-directory-node'
+User=joinmarket
+Restart=always
 
 [Install]
 WantedBy=multi-user.target

nginx/btcpayserver_forward.conf

@@ -0,0 +1,158 @@
+## fill in the DOMAIN_NAME
+## fill in the PREFIX_BTCPAY_PORT
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+    default                       $http_x_forwarded_proto;
+    ''                            $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+    default                       $http_x_forwarded_port;
+    ''                            $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+    default                       upgrade;
+    ''                            close;
+}
+# Apply fix for very long server names
+#server_names_hash_bucket_size 128;
+# Prevent Nginx Information Disclosure
+#server_tokens off;
+# Default dhparam
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+    default                       off;
+    https                         on;
+}
+
+#gzip on;
+ gzip_min_length                  1000;
+ gzip_types                       image/svg+xml text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+ log_format                       vhost '$host $remote_addr - $remote_user [$time_local
+ ]                                '
+ '"$request"                      $status $body_bytes_sent '
+'"$http_referer""$http_user_agent"';
+ access_log                       off;
+# HTTP 1.1 support
+ proxy_http_version               1.1;
+ proxy_buffering                  off;
+ proxy_set_header                 Host $http_host;
+ proxy_set_header                 Upgrade $http_upgrade;
+ proxy_set_header                 Connection $proxy_connection;
+ proxy_set_header                 X-Real-IP $remote_addr;
+ proxy_set_header                 X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header                 X-Forwarded-Proto $proxy_x_forwarded_proto;
+ proxy_set_header                 X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+ proxy_set_header                 X-Forwarded-Port $proxy_x_forwarded_port;
+ proxy_buffer_size                128k;
+ proxy_buffers                    4 256k;
+ proxy_busy_buffers_size          256k;
+ client_header_buffer_size        500k;
+ large_client_header_buffers      4 500k;
+# Mitigate httpoxy attack (see README for details)
+ proxy_set_header                 Proxy "";
+
+server {
+    listen                        80 http2;
+    listen                        443 ssl http2;
+    server_name                   pay.diynodes.com;
+
+    #                             add_header 'Access-Control-Allow-Origin' '*';
+
+    ssl_certificate               /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
+    ssl_certificate_key           /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
+    ssl_session_timeout           1d;
+    ssl_session_cache             shared:SSL: 50m;
+    ssl_session_tickets           off;
+    ssl_protocols                 TLSv1.2 TLSv1.3;
+    ssl_ciphers                   'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers     on;
+    ssl_stapling                  on;
+    ssl_stapling_verify           on;
+    ssl_trusted_certificate       /etc/letsencrypt/live/$DOMAIN_NAME/chain.pem;
+
+    location / {
+        #                         add_header 'Access-Control-Allow-Origin' '*';
+
+        proxy_pass                $PREFIX_BTCPAY_PORT;
+
+        #                         For websockets
+        #proxy_set_header         Upgrade $http_upgrade;
+        #proxy_set_header         Connection $http_connection;
+
+        proxy_redirect            off;
+
+        proxy_set_header          X-Forwarded-Host $http_host;
+        proxy_set_header          Host $http_host;
+        proxy_set_header          Upgrade $http_upgrade;
+        proxy_set_header          Connection $proxy_connection;
+        proxy_set_header          X-Real-IP $remote_addr;
+        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header          X-Forwarded-Proto $proxy_x_forwarded_proto;
+        proxy_set_header          X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+        proxy_set_header          X-Forwarded-Port $proxy_x_forwarded_port;
+        client_max_body_size      100M;
+
+
+        #proxy_set_header         Host $http_host;
+        #proxy_set_header         X-Real-IP $remote_addr;
+        #proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header         X-Forwarded-Proto https;
+        #proxy_read_timeout       600;
+        #proxy_connect_timeout    600;
+        #proxy_send_timeout       600;
+    }
+
+
+    #location = /.well-known/nostr.json {
+    #                             return 301 https: //nostr.diynodes.com$request_uri;
+    #
+}
+
+location /.well-known/nostr.json {
+    add_header                    'Access-Control-Allow-Origin' '*';
+    alias                         /var/www/html/.well-known/nostr.json;
+}
+
+
+#  location /.well-known/lnurlp/openoms {
+#   add_header 'Access-Control-Allow-Origin' '*';
+#   proxy_pass      https: //100.106.178.118:23001;
+#proxy_redirect off;
+#proxy_set_header Host $http_host;
+#proxy_set_header X-Real-IP $remote_addr;
+#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#proxy_set_header X-Forwarded-Proto https;
+#
+#proxy_read_timeout 600;
+#proxy_connect_timeout 600;
+#proxy_send_timeout 600;
+#
+## remove if not needed
+## proxy_set_header X-Forwarded-Host $server_name;
+#
+}
+#
+#
+location /BTC/UILNURL/pay/i {
+    add_header                    'Access-Control-Allow-Origin' '*';
+    proxy_pass                    $PREFIX_BTCPAY_PORT;
+    proxy_redirect                off;
+    proxy_set_header              Host $http_host;
+    proxy_set_header              X-Real-IP $remote_addr;
+    proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header              X-Forwarded-Proto https;
+
+    proxy_read_timeout            600;
+    proxy_connect_timeout         600;
+    proxy_send_timeout            600;
+
+    #                             remove if not needed
+    #                             proxy_set_header X-Forwarded-Host $server_name;
+}
+}

nginx/btcpayserver_subdomain.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
-# WOWRK IN PROGRESS
+# WORK IN PROGRESS
+# see https://gist.github.com/NicolasDorier/1a7fce6836ee55a7fa2c7f65417b88b5
 
 echo "
 Input your email:
@@ -31,7 +32,7 @@ sudo certbot certonly -a standalone -m $EMAIL --agree-tos \
 cat EOF | sudo tee /etc/nginx/sites-available/${SUBDOMAIN}
 # sudo cat /etc/nginx/sites-enabled/${SUBDOMAIN}
 server {
-  listen 80;
+  listen 80 http2;
   listen 443 ssl http2;
   server_name ${SUBDOMAIN};
 

raspiblitz-custom-install-scripts/README.md

@@ -0,0 +1,17 @@
+Raspiblitz custom installs
+
+* default:
+```
+cat /mnt/hdd/app-data/custom-installs.sh
+```
+```
+#!/bin/bash
+
+# This script runs with sudo rights after an update/recovery from a fresh sd card.
+# This is the place to put all the install commands, cronjobs or editing of system configs
+# for your personal modifications of RaspiBlitz
+
+# note: use absolute paths if you point to specific files
+
+echo "There are no custom user installs so far."
+```

raspiblitz-custom-install-scripts/custom-installs.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+./tailscale.sh

raspiblitz-custom-install-scripts/tailscale.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo "# Install Tailscale"
+mv  /var/lib/tailscale /var/lib/tailscale.backup
+curl -fsSL https://tailscale.com/install.sh | sh
+systemctl stop tailscaled
+rm -rf /var/lib/tailscale
+cp -r /mnt/hdd/app-data/tailscale /var/lib
+systemctl start tailscaled
+echo "# Tailscale install done"

tor/checkHiddenService.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+hidden_service="xxxxxxxxxx.onion"
+port=80
+if ! torsocks nc -zv ${hidden_service} ${port}; then
+  echo "restart Tor"
+  sudo systemctl restart tor@default
+fi

tor/crontab.sh

@@ -0,0 +1,10 @@
+if ! crontab -u admin -l | grep checkHiddenService; then
+  cronjob="0,15,30,45 * * * * /home/admin/checkHiddenService"
+  (
+    crontab -u admin -l
+    echo "$cronjob"
+  ) | crontab -u admin -
+fi
+echo "# The crontab for admin now is:"
+crontab -u admin -l
+echo

zfs/create-ext4-raspiblitz-disk.md

@@ -0,0 +1,77 @@
+parted -s /dev/${hdd} mkpart primary ext4 1024KiB 100%
+mkfs.ext4 -F -L BLOCKCHAIN /dev/${hdd}
+tune2fs -c 1 /dev/${hdd}
+
+
+
+    hddDataPartitionExt4=$hdd
+    # loop until the uuids are available
+    uuid1=""
+    loopcount=0
+    while [ ${#uuid1} -eq 0 ]
+    do
+      echo "# waiting until uuid gets available"
+      sleep 2
+      sync
+      uuid1=$(lsblk -o NAME,UUID | grep "${hddDataPartitionExt4}" | awk '$1=$1' | cut -d " " -f 2 | grep "-")
+      loopcount=$(($loopcount +1))
+      if [ ${loopcount} -gt 10 ]; then
+        echo "error='no uuid'"
+        exit 1
+      fi
+    done
+
+    echo "# mount /mnt/hdd"
+    mkdir -p /mnt/hdd 1>/dev/null
+    updated=$(cat /etc/fstab | grep -c "/mnt/hdd")
+    if [ $updated -eq 0 ]; then
+       echo "# updating /etc/fstab"
+       sed "/raspiblitz/ i UUID=${uuid1} /mnt/hdd ext4 noexec,defaults 0 2" -i /etc/fstab 1>/dev/null
+    fi
+    sync
+    mount -a 1>/dev/null
+
+
+
+
+      # make sure common base directory exits
+  mkdir -p /mnt/hdd/lnd
+  mkdir -p /mnt/hdd/app-data
+
+      >&2 echo "# Creating EXT4 setup links"
+    >&2 echo "# opening blockchain into /mnt/hdd"
+    mkdir -p /mnt/hdd/bitcoin
+    >&2 echo "# linking blockchain for user bitcoin"
+    rm /home/bitcoin/.bitcoin 2>/dev/null
+    ln -s /mnt/hdd/bitcoin /home/bitcoin/.bitcoin
+    >&2 echo "# linking lnd for user bitcoin"
+    rm /home/bitcoin/.lnd 2>/dev/null
+    ln -s /mnt/hdd/lnd /home/bitcoin/.lnd
+    >&2 echo "# creating default storage & temp folders"
+    mkdir -p /mnt/hdd/app-storage
+    mkdir -p /mnt/hdd/temp
+
+
+  # fix ownership of linked files
+  chown -R bitcoin:bitcoin /mnt/hdd/bitcoin
+  chown -R bitcoin:bitcoin /mnt/hdd/lnd
+  chown -R bitcoin:bitcoin /home/bitcoin/.lnd
+  chown -R bitcoin:bitcoin /home/bitcoin/.bitcoin
+  chown bitcoin:bitcoin /mnt/hdd/app-storage
+  chown bitcoin:bitcoin /mnt/hdd/app-data
+  chown -R bitcoin:bitcoin /mnt/hdd/temp 2>/dev/null
+  chmod -R 777 /mnt/temp 2>/dev/null
+  chmod -R 777 /mnt/hdd/temp 2>/dev/null
+
+  # write info files about what directories are for
+
+  echo "The /mnt/hdd/temp directory is for short time data and will get cleaned up on very start. Dont work with data here thats bigger then 25GB - because on BTRFS hdd layout this is a own partition with limited space. Also on BTRFS hdd layout the temp partition is an FAT format - so it can be easily mounted on Windows and OSx laptops by just connecting it to such laptops. Use this for easy export data. To import data make sure to work with the data before bootstrap is deleting the directory on startup." > ./README.txt
+  mv ./README.txt /mnt/hdd/temp/README.txt 2>/dev/null
+
+  echo "The /mnt/hdd/app-data directory should be used by additional/optional apps and services installed to the RaspiBlitz for their data that should survive an import/export/backup. Data that can be reproduced (indexes, etc.) should be stored in app-storage." > ./README.txt
+  mv ./README.txt /mnt/hdd/app-data/README.txt 2>/dev/null
+
+  echo "The /mnt/hdd/app-storage directory should be used by additional/optional apps and services installed to the RaspiBlitz for their non-critical and reproducible data (indexes, public blockchain, etc.) that does not need to survive an an import/export/backup. Data is critical should be in app-data." > ./README.txt
+  mv ./README.txt /mnt/hdd/app-storage/README.txt 2>/dev/null
+
+  >&2 echo "# OK - all symbolic links are built"

zfs/create-raspiblitz-zfs-disk.md

@@ -27,11 +27,11 @@
     # work as root
     sudo su -
 
-    echo "deb http://deb.debian.org/debian bullseye-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bullseye-backports.list
+    echo "deb http://deb.debian.org/debian bookworm-backports main contrib
-    echo "deb-src http://deb.debian.org/debian bullseye-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bullseye-backports.list
+    deb-src http://deb.debian.org/debian bookworm-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bookworm-backports.list
 
     echo "Package: src:zfs-linux" | sudo tee -a /etc/apt/preferences.d/90_zfs
-    echo "Pin: release n=bullseye-backports" | sudo tee -a /etc/apt/preferences.d/90_zfs
+    echo "Pin: release n=bookworm-backports" | sudo tee -a /etc/apt/preferences.d/90_zfs
     echo "Pin-Priority: 990" | sudo tee -a /etc/apt/preferences.d/90_zfs
 
     apt update
@@ -248,9 +248,13 @@
     ```
     zpool import
     zpool import -a
+
+    # restore the key
+
     sudo /sbin/zfs load-key -a
     sudo /sbin/zfs mount -la
 
+
     # automount with cron
     cronjob="@reboot sudo /sbin/zfs load-key -a; sudo /sbin/zfs mount -la"
     (